When a large financial services clearinghouse issued a global directive to consolidate all GRC work streams onto a single GRC platform, the vice president of internal audit knew he had to step up to the plate. While other GRC stakeholder teams were using the organisation's GRC platform of choice, the internal audit department was using a separate audit software tool to help them manage their activities. The task before the internal audit VP was to enable the audit module in the GRC platform and configure it to support the current internal audit activities so the IA department could be weaned from its department-specific software.

The transition project also required the migration of content and data from the old system to the new system. In addition, the new solution needed to be configured to support the IA team’s audit methodology and had to be accessible to the geographically dispersed audit team, allowing them to complete key activities, share information and create reports as easily as before.

Stakeholders knew they could count on strong internal support from their IT team, who was trained on the GRC platform and was currently administering the application, as well as high-level support from the vendor. Confident, the clearinghouse initiated the transition project to the new audit module on the GRC platform — but as the project progressed, questions and issues began to arise regarding the best way to configure the tool. The audit team’s audit methodology did not align with the out-of-the-box functionality that came with the module. The recommendation from the vendor — to change the audit methodology to fit the module — was unhelpful, to say the least. Unwilling to change their audit approach, the VP of internal audit enlisted the help of a consulting firm, hoping they would be able to manage the project and configure the tool to meet the audit team’s requirements.

The project failed. A lack of in-depth knowledge about the standard features of the audit module and how to properly implement its functionality led to several configuration “no-no’s.” In addition, the team struggled to translate the clearinghouse’s audit methodology and map the company’s business needs to the functionality and technical capabilities of the module. Less-than-ideal implementation decisions prevented the audit department from taking advantage of out-of-the-box reports, roll-up calculations and other functionality, and led to the need for additional, expensive custom development and configuration work. At best, the audit team was looking at a solution that was complicated, difficult to use, potentially problematic during future upgrades, and simply would not meet their business needs. They were at a stalemate.

Failure Not an Option

After two unsuccessful implementation attempts, a looming deadline to migrate to the new GRC platform, and a tool that wouldn’t help his team, the vice president of internal audit turned to Protiviti. He knew that, as the organisation's internal audit co-source partner, Protiviti had the audit methodology expertise, but he needed to ascertain our technical expertise on the new application. The third time had to be successful.

The internal audit team, members of the previous implementation team and business owners met with the Protiviti GRC technology advisory team to discuss options. The meeting quickly moved from a high-level project overview discussion to a detailed question-and-answer session regarding the technical architecture of the audit module. At the end of the session, the team felt confident that Protiviti was the right partner in this high-stakes round.

Prior to initiating any changes in the system, the Protiviti team conducted workshops and interviews with audit team members to confirm their key audit activities, workflow and reporting requirements. This information was used to formulate a high-level plan that would support the team’s existing audit methodology. The plan was then shared with the clearinghouse, and also vetted with the third-party vendor to ensure it could be supported and aligned with the tool’s capabilities and would allow the team to take advantage of its strong reporting features.

Confident that the high-level plan was on target, the audit team gave Protiviti the okay to proceed with a detailed plan. Leveraging Protiviti’s Implementation Accelerator Pack, Protiviti sought the agreement of the key team members regarding the detailed configurations, reports and workflows needed by the audit team. The detailed plan mapped and transformed these requirements to the internal audit module’s architecture and capabilities. Further, business analysis results from meetings were documented using the client’s project management methodology. The resulting final architecture and design plan were then presented to the stakeholders.

The project was approved to move forward into production. It went live ahead of the deadline, following successful testing and a comprehensive training program, including guides, checklists and cheat sheets to get users off to a quick start. After two frustrating strikeouts, the third attempt, led by Protiviti’s GRC technical team, proved a home run.

Implementing a GRC solution is a lot about finding the best fit — features, functionality, etc. — for those who depend on it do their work daily. But as this story makes clear, it is also about selecting the right implementation partner — one who understands not just the tool but the business requirements that drive the technology requests and can help the organisation move forward with confidence.

Associate Director

+1.312.476.6303

Protiviti Member Firm LLC is the Oman Member Firm of the Protiviti network of independent and locally owned consulting firms. Member Firms are autonomous companies, are not agents of Protiviti Inc. or other firms in the Protiviti network and have no authority to obligate or bind other firms in the Protiviti network.